New Variant of ElGamal Signature Scheme

Similar documents
On the Big Gap Between p and q in DSA

Chapter 8 Public-key Cryptography and Digital Signatures

Blind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems

Digital Signature Scheme Based on a New Hard Problem

Chapter 4 Asymmetric Cryptography

Asymmetric Cryptography

Lecture 1: Introduction to Public key cryptography

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Public Key Algorithms

ElGamal type signature schemes for n-dimensional vector spaces

Blind Collective Signature Protocol

Asymmetric Encryption

Generating ElGamal signatures without. knowing the secret key??? Daniel Bleichenbacher. ETH Zurich.

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

Cryptography IV: Asymmetric Ciphers

MATH 158 FINAL EXAM 20 DECEMBER 2016

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Digital Signatures. p1.

A Comparative Study of RSA Based Digital Signature Algorithms

CPSC 467b: Cryptography and Computer Security

A message recovery signature scheme equivalent to DSA over elliptic curves

Security Proofs for Signature Schemes. Ecole Normale Superieure. 45, rue d'ulm Paris Cedex 05

CRYPTOGRAPHY AND NUMBER THEORY

Batch Verification of ECDSA Signatures AfricaCrypt 2012 Ifrane, Morocco

1 Number Theory Basics

CPSC 467: Cryptography and Computer Security

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

On sunlet graphs connected to a specific map on {1, 2,..., p 1}

Algorithmic Number Theory and Public-key Cryptography

Hidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV *

Some Lattice Attacks on DSA and ECDSA

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

10 Public Key Cryptography : RSA

Lecture Notes, Week 6

A Knapsack Cryptosystem Based on The Discrete Logarithm Problem

Sharing DSS by the Chinese Remainder Theorem

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

New attacks on RSA with Moduli N = p r q

Digital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay

Public Key Cryptography

Mathematics of Cryptography

An Introduction to Probabilistic Encryption

Pseudo-random Number Generation. Qiuliang Tang

Public key exchange using semidirect product of (semi)groups

CPSC 467b: Cryptography and Computer Security

Some Security Comparisons of GOST R and ECDSA Signature Schemes

one eciently recover the entire key? There is no known method for doing so. Furthermore, the common belief is that no such ecient algorithm exists. Th

Public-Key Cryptosystems CHAPTER 4

A new conic curve digital signature scheme with message recovery and without one-way hash functions

Lecture V : Public Key Cryptography

Hans Delfs & Helmut Knebl: Kryptographie und Informationssicherheit WS 2008/2009. References. References

Mathematical Foundations of Public-Key Cryptography

A Small Subgroup Attack on Arazi s Key Agreement Protocol

GOST A Brief Overview of Russia s DSA

Digital signature schemes

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Design Validations for Discrete Logarithm Based Signature Schemes

CPSC 467: Cryptography and Computer Security

On the Key-collisions in the Signature Schemes

Threshold Cryptography

Available online at J. Math. Comput. Sci. 6 (2016), No. 3, ISSN:

CIS 551 / TCOM 401 Computer and Network Security

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

Digital Signature Algorithm

and Other Fun Stuff James L. Massey

Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs

CSC 5930/9010 Modern Cryptography: Number Theory

Chapter 7: Signature Schemes. COMP Lih-Yuan Deng

THE CUBIC PUBLIC-KEY TRANSFORMATION*

Introduction to Elliptic Curve Cryptography

Aspect of Prime Numbers in Public Key Cryptosystem

Topics in Cryptography. Lecture 5: Basic Number Theory

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Using semidirect product of (semi)groups in public key cryptography

Montgomery-Suitable Cryptosystems

Public Key Cryptography with a Group of Unknown Order

Finite fields and cryptology

Elliptic Curves and Cryptography

Introduction to Public-Key Cryptosystems:

Question: Total Points: Score:

Cryptanalysis on An ElGamal-Like Cryptosystem for Encrypting Large Messages

Breaking Plain ElGamal and Plain RSA Encryption

Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

CRYPTANALYSIS OF ELGAMAL TYPE DIGITAL SIGNATURE SCHEMES USING INTEGER DECOMPOSITION

Optimal Use of Montgomery Multiplication on Smart Cards

Discrete Logarithm Problem

A New Attack on RSA with Two or Three Decryption Exponents

A New Knapsack Public-Key Cryptosystem Based on Permutation Combination Algorithm

Pollard s Rho Algorithm for Elliptic Curves

CPSC 467b: Cryptography and Computer Security

On the Security of Diffie Hellman Bits

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

8 Elliptic Curve Cryptography

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

Transcription:

Int. J. Contemp. Math. Sciences, Vol. 5, 2010, no. 34, 1653-1662 New Variant of ElGamal Signature Scheme Omar Khadir Department of Mathematics Faculty of Science and Technology University of Hassan II-Mohammedia, Morocco khadir@hotmail.com Abstract In this paper, a new variant of ElGamal signature scheme is presented and its security analyzed. We also give, for its theoretical interest, a general form of the signature equation. Mathematics Subject Classification: 94A60 Keywords: Public key cryptography, ElGamal signature scheme, discrete logarithm problem 1 Introduction Since the invention of the public key cryptography in the late 1970s [2, 13, 12], several new subjects related to the data security as identification, authentication, zero-knowledge proof and secret sharing were explored. But among all these issues, and perhaps the most important, is how to build secure digital signature systems. During more than three decades, the topic, probably due to its fundamental and practical role in electronic funds transfer, was intensively investigated [10, 15, 14, 4, 1, 11, 9]. There is only one principle on which rest the digital signature algorithms. To sign a message m, Alice with the help of her private key, must answer a question asked by Bob, the verifier. The question is naturally a function of m. Nobody other than Alice is able to forge her signature and give the right answer, even the asker himself. In most digital signature schemes, the considered question is a difficult mathematical equation depending of m as a parameter. Only Alice, because she possesses a private key, is able to solve it. In this protocol, we are not necessary concerned by the transmitted data security. Indeed, Bob and Alice can publish respectively the equation and the solution in two protected and separated

1654 O. Khadir personal servers. In 1985, ElGamal [3], inspired by the Diffie-Hellman ingenious ideas on new directions in cryptography [2], was one of the firsts to propose a practical signature scheme. Used properly, this signature system has never been broken. He built it on a simple equation with two unknown variables. The hardness of this equation relies on the discrete logarithm problem [7, p.103]. In general, from a public key cryptosystem, one can derive a signature scheme. Curiously, in his paper [3], ElGamal did not exploit this possibility and it is still unclear how he found his signature equation. This fact has encouraged many researchers to look for equations having properties similar to those of ElGamal. See, for instance, [14, 4, 5]. Some practical signature protocols as Schnorr method [14] and the digital signature algorithm DSA [8] are directly derived from ElGamal scheme. Permanently, ElGamal signature scheme is facing attacks more and more sophisticated. If the system is completely broken, alternative protocols, previously designed, prepared and tested, would be useful. In this work we present a new variant of the ElGamal signature method and analyze its security. Furthermore, we give, just for its theoretical interest, a general form of our signature equation. The paper is organized as follows. In section 2, we review the basic ElGamal signature algorithm and recall the main known attacks. Our new variant and a theoretical generalization are presented in section 3. We conclude in section 4. In the sequel, we will adopt ElGamal paper notations [3]. Z, N are respectively the sets of integers and non-negative integers. For every positive integer n, we denote by Z n the finite ring of modular integers and by Z n the multiplicative group of its invertible elements. Let a, b, c be three integers. The great common divisor of a and b is denoted by gcd(a, b). We write a b [c] if c divides the difference a b, and a = b mod c if a is the remainder in the division of b by c. We start by describing the original ElGamal signature scheme. 2 ElGamal Original Signature Scheme We recall in this section the basic ElGamal protocol in three steps, followed by the most known attacks. 2.1. ElGamal Algorithm 1. Alice begins by choosing three numbers : - p, a large prime integer. - α, a primitive root [7, p.69] of the finite multiplicative group Z p. - x, a random element in {1, 2,...,p 1}.

New variant of ElGamal signature scheme 1655 She computes y = α x mod p. We consider then that : (p, α, y) is Alice public key and x her private key. 2. Assume that Alice wants to sign the message m<p. She must solve the congruence α m y r r s [p] (1) where r and s are two unknown variables. Alice fixes arbitrary r to be r = α k mod p, where k is chosen randomly and invertible modulo p 1. She has exactly ϕ(p 1) possibilities for k, where ϕ est the phi-euler function [7, p.65]. Equation (1) is then equivalent to : m xr+ ks[p 1] (2) As Alice possesses the secret key x, and as the integer k is invertible modulo p 1, she computes the second unknown variable s by : s m xr [p 1] k 3. Bob can verify the signature by checking that congruence (1) is valid. Keys generation problem must be taken into account. There exist essentially probabilistic algorithms for generating prime integers. In a recent previous work [6], we obtained experimental results on the subject. Now, we recall the main known attacks. 2.2. Main attacks The first attack was mentioned by ElGamal himself [3]. It is not recommended to sign two different messages with the same secret exponent. As the complete justification of this attack does not figure in the ElGamal paper, we reproduce here the proof from [16, p. 291] which seems to us, less restrictive than that in [7, p.455]. Proposition 2.1. If Alice signs more than one message with the same secret exponent, then her system can be totally broken. Proof. Let (m 1,r,s 1 ) and (m 2,r,s 2 ) be the signatures of the two messages m 1 and m 2 with the same secret exponent k. Due to relation (2), we retrieve Alice secret key x if we find the value of the parameter k provided that r is invertible modulo p 1. We have m 1 xr+ ks 1 [p 1] and m 2 xr+ ks 2 [p 1], so : m 1 m 2 k (s 1 s 2 )[p 1] (3) If we put gcd(s 1 s 2,p 1) = d, there exist two integers S and P such that s 1 s 2 = ds, p 1=dP and gcd(s, P ) = 1. Thus relation (3) becomes :

1656 O. Khadir m 1 m 2 = k (s 1 s 2 )+K (p 1) = kds+kdp, K Z. With M = ks+kp, we obtain M ks [P ]. As S is invertible modulo P, we have k = MS 1 + KP (4) Since k<p 1 and p 1=dP, we deduce that K<d. By equality (4), we can test every value of K and check if r α k [p]. We find K if d is not too large. In 1996, Bleichenbacher [1] has discovered an important fact : when some parameters are smooth [16, p.197], it is possible to forge ElGamal signature without solving the discrete logarithm problem. We present here a slightly modified version of his result. Proposition 2.2. Let (p, α, y) be Alice public key. Suppose that β < p is a positive integer for which one can efficiently compute t N such that α β t [p]. p 1 If is smooth, then an Alice adversary will be able to forge her gcd(p 1,β) signature for any given message M. Proof. Let D = gcd(p 1,β) and β = λd, λ N. We denote by H the subgroup of Z generated by α D mod p. Since y D (α x ) D (α D ) x [p], we have y D H. From a well known result, as the order (p 1)/D of H is smooth, the discrete logarithm problem is computationally feasible : one can efficiently find z 0 N such that y D (α D ) z 0 [p]. Let M a message to be signed and m = h(m) mod p where h is a public hash function. Alice adversary sets r = β. ElGamal signature equation (1) becomes : β tm y β β s y λd β s (α D ) z 0 λ β s β λtz 0 D β s [p] Hence s t (m βz 0 )[p 1], and then the couple (r, s) is a valid signature of the message M, which achieves the proof. Observe that it is not so surprising to choose r = β or r = β i mod p, i N, since β t α [p] implies that β is an other generator of Z n. Next section presents our main contribution.

New variant of ElGamal signature scheme 1657 3 New Variant and Theoretical Generalization In this section, we suggest a new variant of ElGamal signature scheme based on an equation with three unknown variables. The method does not need the computation of the secret exponent inverse and so avoids the use of the extended Euclidean algorithm. Technical report [4], although it collected several signature equations, did not study the case we propose here. 3.1. Our protocol We suppose first that h is a public secure hash function. We can take h equal to the secure hash algorithm SHA1 [7, Chap.9] and [16, Chap.5]. 1. Alice begins by choosing her public key (p, α, y), where p is a large prime integer, α is a primitive element of the finite multiplicative group Z p and y = α x mod p. Element x, which is a random integer in {1, 2, 3,...,p 1}, is Alice private key. 2. Assume that Alice wants to sign the message M<p. She must solve the congruence α t y r r s s m [p] (5) where r, s and t are three unknown variables and m = h(m) mod p. Alice fixes arbitrary r to be r = α k mod p, and s to be s = α l mod p, where k, l are chosen randomly in {1, 2,...,p 1}. Equation (5) is then equivalent to : t rx+ ks + lm [p 1]. (6) As Alice detains the secret key x and knows the values of r, s, k, l, m, she is able to compute the third unknown variable t. 3. Bob can verify the signature by checking that congruence (5) holds. Our scheme has the advantage that it does not need the use of the extended Euclidean algorithm for computing k 1 modulo p 1. May be this can be an answer to problems evoked in [9, subsection 1.3]. To illustrate the technique, we give the following small example. Example 3.1. Let (p, α, y) be Alice public key where : p = 509, α =2and y = 482. We emphasize that we are not sure if using a short value of α does not weaken the system. The private key is x = 281. Suppose that Alice wants to produce a signature for the message M for which m h(m) 432 [508] with the two random exponents k = 208 and l = 386. She computes r α k

1658 O. Khadir 2 208 332 [p], s α l 2 386 39 [p] and t rx+ ks+ lm 440 [p 1]. Bob or anyone can verify the relation α t y r r s s m [p]. Indeed, we find that α t 436 [p] and y r r s s m 436 [p]. Notice here that k and l are even integers unlike in ElGamal protocol where the exponent k is always odd since it must be relatively prime with p 1. 3.2. Security analysis Suppose that Oscar is an Alice adversary. Let us discuss some possible and realistic attacks. Attack 1 : Knowing all signature parameters for a particular message M, Oscar tries to find Alice secret key x. Equation (5) is equivalent to α t α xr r s s m [p], so α rx α t r s s m [p]. Therefore, Oscar is confronted to the hard discrete logarithm problem. If Oscar prefers to work with relation (6), he needs to know k and l. Their computation conducts to the discrete logarithm problem. Attack 2 : Oscar tries to forge Alice signature for a message M, by first, fixing arbitrary two unknown variables and looking for the third parameter. (1) Suppose for example that Oscar has fixed r, s, and tries to solve equation (5) in the variable t. But here again, he will be confronted to the discrete logarithm problem. (2) Assume that Oscar has fixed r and t. We have from relation (5): r s s m α t y r [p]; and there is no known way to solve this equation. (3) Assume now that Oscar has fixed s and t. We have from relation (5) : y r r s α t s m [p]; and this equation is similar to the last case, so it is intractable. Attack 3 : Let us admit that Oscar has collected n valid signatures for messages M i, i {1, 2, 3,...,n} and n N. He will obtain a system of n modular equations : t 1 xr 1 + k 1 s 1 + l 1 m 1 [p 1] t 2 xr 2 + k 2 s 2 + l 2 m 2 [p 1] (S)... t n xr n + k n s n + l n m n [p 1] Where i {1, 2, 3,...,n}, r i α k i [p], s i α l i [p] etm i h(m i )[p] Since system (S) contains 2n+1 unknown variables x, r i,s i,i {1, 2, 3,...,n}, Oscar can find several valid solutions. However, as x is Alice secret key, it has a unique possibility and therefore Oscar will never be sure what value of x is the correct one. Consequently, this attack is to be rejected. Next result is similar to that exists in ElGamal scheme.

New variant of ElGamal signature scheme 1659 Proposition 3.2. If no hash function is used, then Oscar can forge existentially Alice signature. Proof. Assume that Alice products the parameters (r, s, t) as a signature for the message M. So α t y r r s s m [p]. Let k, k,l,l N be four arbitrary integers with gcd(l,p 1) = 1. If Oscar chooses r α k y k [p] and s α l y l [p], he would obtain : α t y r (α ks y k s )(α lm y l m )[p]. (7) { t ks lm 0[p 1] (7.1) Relation (7) holds if t k s l m 0[p 1] (7.2) Oscar computes m from equality (7.2) : m r + k s [p 1]; and from (7.1) l he has t ks+ l (r + k s) [p 1]. Thus (r, st) is a valid signature for the l message m. Remark 3.3. Alice can sign two messages with the same couple of secret exponents. Indeed, let (r, s, t 1 ) and (r, s, t 2 ) be the signatures of the two different { messages M 1 and M 2 associated to the secret exponents (k, l). We have t1 xr+ ks+ lm 1 [p 1] t 2 xr+ ks+ lm 2 [p 1] where m 1 h(m 1 )[p 1] et m 2 h(m 2 )[p 1]. We can follow the method used in the proof of Proposition 1 and find the value of l, but it seems that it is not an easy task to retrieve secret parameters k and x. 3.3. Complexity of our method : As in [5], let T exp, T mult, T h, be respectively the time to perform a modular exponentiation, a modular multiplication and hash function computation of a message M. We ignore the time required for modular additions, substractions, comparisons and make the conversion T exp = 240 T mult. The signer Alice needs to perform two modular exponentiations, three modular multiplications and one hash function computation. So the global required time is : T 1 =2T exp +3T mult + T h = 483 T mult + T h. The verifier Bob needs to perform four modular exponentiations, two modular multiplications and one hash function computation. So the global required time is : T 2 =4T exp +2T mut + T h = 962 T mult + T h. The cost of communication, without M, is6 p, since to sign, Alice transmits (p, α, y) and (r, s, t). p denotes the bit-length of the integer p. Observe that the complexity of our method is not too high relatively to that of ElGamal scheme or to that in [5].

1660 O. Khadir 3.4. Theoretical generalization Let h be a public secure hash function. 1. Alice begins by choosing her public key (p, α, y), where p is a large prime integer, α is a primitive element of the finite multiplicative group Z p and y = α x, x is a random integer in {1, 2, 3,...,p 1}. x is the Alice private key. 2. Assume that Alice wants to sign the message m<p. She must solve the congruence α t y r 1 r r 2 1 r r 3 2...r rn n 1 rn m [p] (8) where r 1,r 2,...,r n,t are n + 1 unknown variables. Alice fixes arbitrary r 1 to be r 1 = α k 1, r 2 to be r 2 = α k 2,..., and r n to be r n = α kn, where k 1,k 2,...,k n are chosen randomly. Equation (8) is then equivalent to : t xr 1 + k 1 r 2 +...+ k n 1 r n + k n m [p 1]. (9) As Alice detains the secret key x and knows the values r i,k j,m, i {1, 2,...,n}, she is able to compute the (n +1)th unknown variable t. 3. Bob can check that verification condition (8) is valid. Remark 3.4. Let u =(x, k 1,k 2,...,k n ) be Alice secret keys vector and v =(r1,r 2,...,r n,m) the signature parameters vector. If u. v denotes the scalar product, then the last signature parameter t can be obtained from the modular equation t u. v [p 1], which is an immediate consequence of relation (9). 4 Conclusion In this work, we described a new variant of ElGamal signature scheme and analyzed its security. Our method relies on an ElGamal similar equation with three unknown variables and it avoids the use of the extended Euclidean algorithm. We also gave a generalization for its theoretical interest. For the future, one may try to see how to improve our new variant. One idea is to replace the modular group Z p by a subgroup whose order is a prime divisor of p 1 or by other remarkable structures as the elliptic curves group. References [1] D. Bleichenbacher, Generating ElGamal signatures without knowing the secret key, In Advances in Cryptology, Eurocrypt 96, LNCS 1070, Springer-Verlag, (1996), 10-18.

New variant of ElGamal signature scheme 1661 [2] W. Diffie and M. E. Hellman, New directions in cryptography, IEEE Transactions on Information Theory, vol. IT-22, (1976), 644-654. [3] T. ElGamal, A public key cryptosystem and a signature scheme based on discrete logarithm problem, IEEE Trans. Info. Theory, IT-31, (1985), 469-472. [4] P. Horster, M. Michels, H. Petersen, Generalized ElGamal signature schemes for one message block, Technical Report, TR-94-3, 1994. [5] E. S. Ismail, N. M. F. Tahat and R. R. Ahmad, A new digital signature scheme based on factoring and discrete logarithms, J. of Mathematics and Statistics (4): (2008), 222-225. [6] O. Khadir, L. Szalay, Experimental results on probable primality, Acta Univ. Sapientiae, Math. 1, no. 2, (2009), 161-168. Available at http://www.emis.de/journals/ausm/c1-2/math2-6.pdf [7] A. J. Menezes, P. C. van Oorschot and S. A. Vanstone, Handbook of applied cryptography, CRC Press, Boca Raton, Florida, 1997. Available at http://www.cacr.math.uwaterloo.ca/hac/ [8] National institute of standard and technology (NIST). FIPS Publication 186, DSA, Department of commerce, 1994. http://www.itl.nist.gov/fipspubs/fip186.htm [9] P. Q. Nguyen and I. E. Shparlinski, The insecurity of the digital signature algorithm with partial known nonces, J. of Cryptology, Vol. 15, (2002), 151-176. [10] H. Ong, C.P. Schnorr and A. Shamir, Efficient signature schemes on polynomial equations, In Advances in Cryptology, Crypto 84, LNCS 196, Springer-Verlag, (1985), 37-46. [11] D. Pointcheval and J. Stern, Security proof for signature schemes, In Advances in Cryptology, Eurocrypt 96, LNCS 1070, Springer-Verlag, (1996), 387-398. [12] M. O. Rabin, Digitalized signatures and public key functions as intractable as factoring, MIT/LCS/TR, Vol. 212, 1979. [13] R. Rivest, A. Shamir and L. Adeleman, A method for obtaining digital signatures and public key cryptosystems, Communication of the ACM, Vol. no 21, (1978), 120-126. [14] C. P. Schnorr, Efficient signatures generation by smart cards, In Advances in Cryptology, Crypto 89, LNCS 435, Springer-Verlag, (1990), 239-252.

1662 O. Khadir [15] A. Shamir, How to prove yourself : practical solutions to identification and signature problems, In Advances in Cryptology, Crypto 86, LNCS 196, Springer-Verlag, (1987), 186-194. [16] D. R. Stinson, Cryptography, theory and practice, Third Edition, Chapman & Hall/CRC, 2006. Received: January, 2010

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback